New research suggests that users of top-of-the-line Android devices sold in China are getting their personal data pilfered left, right and center, according to new research. The collection, which is happening without notification or consent, could easily lead to the persistent tracking of users and the easy unmasking of their identities.
A study published by computer scientists at several different universities reveals that phone makers like Xiamoi, OnePlus, and Oppo Realme, some of the most popular in China, are all collecting massive amounts of sensitive user data via their respective operating systems, as are a variety of apps that come pre-installed on the phones. The data is also getting hoovered up by an assortment of other private actors, and researchers worry that the devices in question “send a worrying amount of Personally Identifiable Information (PII) not only to the device vendor but also to service providers like Baidu and to Chinese mobile network operators.” Given private industry’s close relationship with the Chinese government, it’s more than enough to raise the specter of broader surveillance concerns for mobile users in China.
What’s the big takeaway? For researchers, there’s clearly some work to be done when it comes to respecting Chinese users privacy. “Overall, our findings paint a troubling picture of the state of user data privacy in the world’s largest Android market, and highlight the urgent need for tighter privacy controls to increase the ordinary people’s trust in technology companies, many of which are partially state-owned,” they write.
Researchers experimented with a number of devices purchased from manufacturers in China and conducted network analysis on them to understand relevant data leakage. In general, researchers assumed that the operator of the device would be a “privacy-aware consumer,” who has opted out of sending analytics and personalization data to providers and doesn’t use cloud storage or “any other optional third-party services.”
The PII being collected includes pretty sensitive stuff, including basic user information like phone numbers and persistent device identifiers (IMEI and MAC addresses, advertising IDs, and more), geolocation data (which, obviously, would allow an observer to unmask your physical location), and data related to “social connections”—such as contacts, their phone numbers, and phone and text metadata, the study found. In other words, the recipients of this data would have a pretty clear picture of who is using a particular device, where they are doing it, and who they’re talking to. Phone numbers in China are also tied to an individual “citizen ID,” meaning that it’s inextricably tied to the user’s real, legal identity.
All of that data is getting vacuumed up without any user notification or consent, and there’s no way to opt out of this data collection, according to researchers. The collection also doesn’t stop when the device and the user exit China, despite the fact that different countries have different privacy laws that should impact the way information is collected, the study said. Researchers found that data was sent to Chinese mobile operators even when they weren’t providing service (for example, when no SIM card had been inserted into the device).
If you’re even halfway familiar with China’s overall posture towards data privacy, you might find yourself thinking, “Yes, other bombshell revelations include water: wet.” But the researchers’ findings provide specific details about how, exactly, Chinese phone manufacturers and third party sites are actively collecting user data. The study’s findings also seems to fly in the face of China’s recent passage of a GDPR-style privacy law, which is supposed to protect Chinese consumers from data collection without consent.
Gizmodo reached out to the phone manufacturers in question to ask for comment. We will update this story if they respond.